Cookies and security concerns: personal details and Internet privacy
Some questions and answers on the concerns and issues regarding the use of cookies and the risk to the security of your confidential data and online Internet privacy.
See JavaScript: Cookies for tutorials on how to process and utilize cookies.
What is a cookie?
A cookie is a small plain text file that a website can store on a visitor's machine. Through a web browser a website can create, retrieve and delete cookies and are used by the website to store information about the visitor which may be used to identify or authenticate that visitor.
How long do cookies last?
By default cookies last for the duration of the web browser session, they are removed when the browser is closed, and these cookies are known as transient or session cookies. It is possible for a website to create persistent cookies that last beyond the web browser session and it is these that are stored on the hard drive of the user's machine.
What are cookies used for and what information can a cookie store about the visitor?
1. A cookie can store information to identify whether the visitor has been to the website before thereby allowing any personalization preferences set by the user to be applied to that website. These personalization preferences may apply to a single session and thus stored in a transient cookie or may be stored in a persistent cookie and then applied to any return visit in the future.
2. A cookie can store unique session ID values. These session ID values are used to validate a visitor after they have logged in to the website. Then the visitor does not have to keep entering their login details each time they access a new page in the secure area of the website. The website will request the session ID from the cookie and check on the server for a match and determine that the session is authenticated.
2. Cookies can be used to store any information that the visitor has entered in a form on that website. See Example below.
3. Shopping cart information.
4. Browsing habits and the pages that a visitor has viewed on the website.
5. etc., etc.
So essentially a cookie has one purpose: to remember information about an individual visitor.
What a cookie is not and cannot do.
Cookies cannot be used to hack into the contents of a user's hard drive and steal information by accessing the contents of other files or programs. Cookies are not computer programs and cookies are not and cannot transmit computer viruses.
It is possible to access the document.cookie object string and read the stored cookie information relating to the website domain you are currently viewing by entering either of the following statements into the browser address bar:
javascript:window.alert(document.cookie) or javascript:document.write(document.cookie)
Either will give access to the document.cookie object string, which is a delimited list of all the cookies relating to that domain together with the information they currently have stored in them. There may be many individual cookies and each cookie is separated by the semicolon and space '; ' characters. Within that individual cookie data string the name of the cookie is first and is separated from the values by the equals '=' character.
For example: a practical demonstration of how cookies can be used to store information that a visitor has entered in a form.
The following demonstration is rather trivial in that in practice as it would not be 'sensible' to enter confidential information into a form hosted on a website that is not running secure data transfer over the Internet such as Hypertext Transfer Protocol Secure (HTTPS). I say trivial but. Do you trust that the site that is utilizing HTTPS has a full understanding of the vulnerabilities? What about websites not running HTTPS such as your webmail, blog host or cloud computing account?
In this demonstration two cookies have been used to store information that has been entered into a form and I will show you, using the 'javascript:window.alert(document.cookie)' statement above, how to check on the data that has been stored. I will utilize the JavaScript code snippet from javascriptcookiesnippets6.php in the JavaScript: Cookies section of this website to demonstrate this.
First let us see an example of a simple form requesting us to enter some information:
Let me enter some information in the form fields on the 'First page'. In this case some 'personal' details about my unusual pet.
I 'Proceed to page 2 of the form' by clicking on the button. The act of clicking on the button creates the cookies and stores the information about my pet.
The website now shows us a the 'Second page' of the form and the information about my pet which it has retrieved from the cookies and entered in the second form as a reminder or perhaps as a summary.
I have also entered the statement 'javascript:window.alert(document.cookie)' in the browser address bar of the second page so we can access the cookies.
Now press the 'Enter' key on the keyboard and we get the following window appear:
As you can see the window above contains a delimited list of the names of the two cookies and the data they currently have stored in them: the information that I entered in the form fields.
Now there is nothing essentially sinister in this. The website in this case is utilizing first-party cookies to circumvent the stateless nature of the web. Storing some information in cookies so it may retrieve that data at a later date to display in a separate web page. I am just demonstrating how easily this can be done and that if the website is using persistent cookies and the data is not encrypted this information will be on the hard drive after you have walked away from the machine.
Note:
It is said that each domain can store 20 cookies on a user's machine but this figure can be greater depending on the browser.
Each cookie can be no more than 4096 bytes (4KB) in size, 300 cookies on a user's machine for each browser is normally allowed and each browser cannot access another browser's cookies.
That's still a great deal of information.
Who can access the information stored in cookies?
Normally the information stored in a cookie is accessed and used by the website or domain that you are directly visiting: first-party cookies.
However third-party cookies are set by a third-party website. Often these are advertising companies that have the ability to place adverts on several different websites and set cookies created by the advertiser's domain. They are then able to harvest information about the sites you have visited that contain the adverts from the company by retrieving the cookies set by the advertiser's domain. Third-party cookies therefore can be used to track users from website to website and are the cookies that raise the most concerns. These can be used to target advertising based on a user's profile. Even if the user's profile is anonymous this still raises privacy issues.
A session cookie containing session ID values can be intercepted by a man-in-the-middle as it passes across the Internet which may result in session hijacking. This is especially possible if the communication is carried out over HTTP and not the secure version of HTTP known as Hypertext Transfer Protocol Secure (HTTPS).
Then of course persistent cookies can be read by any individual with administrator privileges and access to the machine.
Blocking cookies.
Third-party cookies can usually be blocked through the browser options or preferences to increase Internet privacy without causing any problems.
It is also possible through the browser options or preferences to disable or block cookies altogether. The trouble with that is this may take away a great deal of the functionality and convenience of the web that we take for granted, many websites cannot function without them, most likely these include websites that you enjoy and use regularly.
Deleting cookies at the end of a browsing session.
A compromise would be to delete all cookies when you have finished a browsing session. This would not hinder the functionality of the website for that session but will mean that the website will not remember you for when you next visit that website. It would also mean that third-party cookies would not track you across individual browsing sessions. Whether you consider that would be a convenience or hindrance is up to you.
Conclusion.
Essentially I believe it is a question of trust in a website and a brand. It is about carrying the same common sense attitude to privacy that we use in the 'concrete' world over to the way we interact with the electronic virtual world of the Internet. For example I trust my local community centre to look after my contact details and not give them out to anyone else but I would not divulge my personal details to a sales marketing company cold calling me at random. In the same fashion I trust Amazon.com to have systems in place to handle my payment details responsibly but I would be extremely wary over giving confidential data to a website that was returned from one off simple search on a search engine. When I have made a decision to trust a website brand then I make sure that that is the website I am actually interacting with by simply checking the domain name in the browser address bar.
It is this issue of being tracked by third-party cookies across multiple websites set by advertising companies to build anonymous user profiles of our surfing habits that raise privacy concerns. However third-party cookies can usually be blocked without causing any problems.
Article by: David Beet.
Date: 7th May 2009.
Back to top.
Copyright © 2006-2012 justfigures.co.uk